Automation with business rules
You can use a business rule to automate tasks on SeviceNow. A business rule is a server-side script that runs when a record is displayed, inserted, updated, or deleted, or when a table is queried.
You can create a business rule to monitor FortiAnalyzer incidents and events imported or updated on the FortiAnalyzer Integration App.
To create a business rule:
- In ServiceNow go to System Definition > Business Rules or type
Business Rules
in the application explorer. - In the Business Rules page, click New.
Example business rule:
The following example uses a business rule to create a customized security incident when a Denial of Service incident is raised in FortiAnalyzer.
- Configure the business rule settings.
Property
Description
Name Enter a name for the business rule. Table Select faz_incident_secops from the list. Application This is the application that contains the business rule.
The application is set to Global by default and cannot be changed.
Active This enables the business rule. Advanced Select this option to see the advanced version of the form. - In the When to Run area, configure the business rule condition.
When Select After to run the business rule when the conditions are met. Update Select this option to run the business rule when the incident is updated. Filter Conditions - Select Category from the choose field list.
- Set the operator to Is.
- Enter
CAT2
in the Value field to run the business rule when FortiAnalyzer creates a Denial of Service(DoS) incident.
Role Conditions Select the roles users who are modifying records in the table must have for this business rule to run. ServiceNow roles - In the Advanced area, create a script that runs when the defined condition is true.
Property
Description
Conditions Enter a conditional statement to specify when the business rule should run. Script The following script demonstrates how to change the form fields when the condition is met:
(function executeRule(current, previous /*null when async*/) {
var incid = current.getValue('incid');
// Check whether it exists or not
var egr = new GlideRecord('sn_si_incident');
egr.addQuery('short_description=' + incid);
egr.query();
if (egr.next()) {
return;
}
// Current data
var severity = current.getValue('severity');
var description = current.getValue('description');
var sn_impact = 3; // low
var sn_priority = 4; // low
var sn_Severity = 3; // low
if (severity == "high") {
sn_impact = 1;
sn_priority = 2;
sn_Severity = 1;
} else if (severity == "medium") {
sn_impact = 2;
sn_priority = 3;
sn_Severity =2;
}
// Security Incident
var gr = new GlideRecord('sn_si_incident');
gr.initialize();
gr.state = 1; // Analysis
gr.substate = 3; // Pending incident
gr.category = "Denial of Service";
gr.subcategory = 12; // Inbound or outbound
gr.severity = sn_Severity;
gr.impact = sn_impact;
gr.priority = sn_priority;
gr.short_description = incid ;
gr.description = 'copy description from faz: ' + description;
gr.insert();
])(curent,previous);
- Click Submit.